What Is Hypervisor-based Security and Why Is It Important in Stopping Zero-Day Exploits?

Recent studies show that it takes a company an average of five months to discover a data breach, and 53 percent of these incidents are detected only after an external audit. This is concerning in the face of the current cyber security landscape, where endpoint security is offered with varying degrees of success and data center security is largely uncharted territory. As the complexity of attacks against data centers rises exponentially, product development for an effective data center security solution is moving too slowly to meet the demands of enterprises struggling to defend against the onslaught of new threats.

Why don’t enterprise security solutions pick up more threats?

One thing common to all vulnerabilities, both known and unknown, is memory exploitation. Traditional endpoint security solutions are very good at identifying file-based malware and monitoring the operating systems (OS) from within the network. However, because all in-guest security solutions rely on information from the OS, advanced threats can cloak infiltration through zero-day vulnerabilities and file-less attacks. In these cases, the attacks instruct the OS to “lie” to the endpoint security solution so that it cannot identify the suspicious activity.

How do you catch something you can’t see?

Fortunately, even though cyber-attacks have rapidly evolved, the framework of enterprise IT infrastructure has transformed completely, enabling it to better protect threat vectors. The hypervisor now sits as an intermediary between virtualized endpoints and physical hardware. This provides the brand-new opportunity of delivering security through the hypervisor layer.

The hypervisor, mainly a tool for performance, has an untapped security potential. The hypervisor sees clean, unaltered information about the memory being used by each virtual machine, and it is completely isolated from them. It can detect and prevent advanced attacks by offering real-time detection at the hypervisor layer.

Leveraging the hypervisor to tap directly into raw memory, hypervisor-level security solutions can secure workloads from outside the operating system. Marking memory pages as Read-Write only, when the VM attempts to execute a page - as a result of the attack - the hypervisor will stop the operation and notify the engine in the security appliance.

How do hypervisor-security solutions “see” processes in memory?

Hypervisor-level security systems protect against malicious techniques and most importantly isolate the security virtual appliance from guest VMs that may be housing malware. This means rootkits can’t hide from the security appliance or interfere with its operation. With full access to guest memory, the solution can see what’s truly going on.

Traditionally, when trying to detect an attack, endpoint detection technologies look for who tries to initiate the attack (signature-based), or for signs of malicious behavior, or what an attack looks like. However, hypervisor-level security provides insight to what attacks look like at a memory level. Even if everything looks normal within the OS, malware inevitably leaves certain traces in the memory space.

Utilizing the hypervisor for security measures is a crucial paradigm shift, as the number of techniques for utilizing exploits remains very small, and all center on misusing memory to have malicious code executed. Hypervisor-level security solutions can identify common exploitation techniques (e.g. code injection, function detouring, API hooking), without knowing beforehand the actual vulnerabilities the attackers use.

Placing security measures outside the operating system (or in this case, guest machines), security solutions gain unparalleled visibility into advanced threats while being isolated from them. This means enterprises of all sizes can reduce blind spots in endpoint security solutions, fortifying infrastructures against cyber-attacks.

About the author:Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild Trojan horses.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.